Risk Assessment —

Why Intel’s “How Strong is Your Password?” site can’t be trusted

Lack of HTTPS + questionable metrics = don't rely on it.

A new website published by chipmaker Intel asks readers "How Strong is Your Password?" and provides a form for estimating the strength of specific passcodes. It's too bad the question isn't "How Strong is your Password-grading site," because the answer, unfortunately, is "not very."

The most glaring problem with the site is its failure to use standard HTTPS Web encryption. Based on the secure sockets layer and transport layer security protocols, HTTPS ensures that a Website being accessed is authentic and operated by a legitimate entity, as opposed to a knock-off page created by someone who is able to control the end user's Internet connection. It also encrypts traffic sent between the end user and site to prevent anyone else from eavesdropping. It wouldn't take much effort for someone to create a convincing replica of the McAfee-powered site and substitute it for the real one on a network in a coffee shop, at a conference, or in another setting. At that point anything a visitor typed could be sent to the attacker. Authoritarian regimes have also been known to inject code into legitimate sites to log account credentials.

To be sure, there are caveats. The site instructs users: "PLEASE DO NOT ENTER YOUR REAL PASSWORD," but I'd bet some percentage of users will ignore this request. Even then, the attack wouldn't reveal the user name corresponding to the password, or even the service or site they belong to. Still, the attack could be used in campaigns aimed at a specific individual or group to gain important insights about the passwords the targets use. More importantly, I'd expect a site with a goal of educating the masses about password security would tell users they should never enter a password on a plain HTTP connection. And I certainly expect Intel and its McAfee subsidiary to offer HTTPS on their own sites. The lack of encryption and authentication is surprising. I'd strongly discourage readers from entering any passwords they trust or use to secure important accounts.

The other problem with McAfee's site is the methodology used to rate the strength of passwords. The site estimates that it would take six years to crack the passcode "BandGeek2014" (minus the quotation marks) and three months to crack "windermere2313". Last week, I shoulder surfed as Jens "Atom" Steube, the lead developer of the freely available ocl-Hashcat-plus password-cracking program, decoded most of a list of 16,000 cryptographically hashed passcodes that were leaked on the Internet several months ago. It took him less than 30 minutes to break both of those passwords.

Conversely, the site says it would take only two years to crack "nIGpkQ8s.W6". That's a password I randomly generated for the purposes of this article, one that likely could be cracked only through the computationally painstaking process of brute forcing. Because it contains 11 characters and uses numbers, symbols, and upper- and lower-case letters, there are 9511 possible combinations, a massive "keyspace" that could take real-world crackers years centuries to exhaust.

The Intel site doesn't explain how it arrived at the conclusion that "nIGpkQ8s.W6" is three times faster to crack than "BandGeek2014"—and ultimately it doesn't matter. What's important is that this site should never be trusted with real passwords and can't even be counted on to give realistic assessments about the relative strength of passwords. By asking users, "Are you hackable or uncrackable?" it's crossing uncomfortably close into what security guru Bruce Schneier calls "security theater."

In the coming month or so, Ars will publish a series of articles showing how passwords are cracked in the real world and techniques end users can follow to prevent these attacks. Stay tuned.

Promoted Comments

Yes, right around the time we invent a flying submarine. Multi-factor authentication will, by definition, require carrying around some gadget, whether it provides a token or scans your body. That's inherently inconvenient.

And, ubiquity doesn't help. If a third party provides the gadget, you now have to figure out how to trust that third party.

I'm going to be 100% honest here. I am so TIRED of being told that my passwords suck, they're not good enough, and that I need to be smarter about my online security.

I know that's all true. But dammit man, I'm only human, it's becoming increasingly more frustrating just trying to use the internet now that every single website makes me log into some sort of account and then gets hacked and makes me change it.

Not to mention I should be using different log in names and emails for anything important. Which only compounds the issue further. How many email addresses am I supposed to keep up with?

Look, I get it, it's critically important that I take my security online seriously, but I am just tired of the game. It's like having a lock on every single door in your house each with a different key. Does that make your house safer? Sure, in a sense. Does it make getting around your own house hard as hell? Yes, it does. That's how I feel on the internet. Every damn door needs to be locked with its own key and I am going nuts trying keep things in order.

Does Lastpass help? Sure. To an extent, but good luck using that randomly generated 16 digit monster to log in on your phone to that companies specific app.

Rant over. I hate passwords and we need a technology that will help us move passwords beyond their glaring weakness, that we're all stupid mortals.

I appreciate your candor, and agree it's an annoyance.

I hate security questions, especially when they make you pick 3 from a short list, I manage my passwords well, but now I'm doling out personal information to all these sites so that some jackass who knows my mothers maiden name and where I went to high school can reset my account? That's more likely than them figuring out my passwords. So then you're using fake information for those questions but have to keep track of all that just in case? Screw that. I like using a phone number for recovery, but most sites don't let you get rid of the security questions.

So the calculation is:1. every common password string counts as a lowercase character2. every upper or lower case character counts as 263. every numerical digit counts as 104. every special character counts as 325. multiply the value of each character together6. a hacker can compute 17 billion guesses in an hour

Looking at this password checker it seemed totally ridiculous so I decided to figure out what it was actually doing. For anyone who wants to confirm my work the file in which the passwords are checked is Password.js.

Yes, the passwords are looked at locally in javascript, I can't guarantee that it does not send any information over the internet for every time I click the "GRADE MY PASSWORD" button it does request a new image from an automatically generated URL that is filled with gobbldeygook that could theoretically contain the password, though it doesn't contain it in plain text form.

So how does the algorithm work, well first it takes the password, and replaces any 'word' from a list of 'topwords' with an 'a'. The list of topwords appears to change every page load and is filled with what I presume are some common passwords from somewhere... not quite sure where. Next it generates a variable called 'entropy' which is equal to ( (26^Number of Lower Case Characters * 26^Number of Upper Case Characters * 10^Number of Digits * 32^Number of Special Characters) / 2 ). It divides entropy by what it calls standard 'comp' (I'm not sure if comp means computer or computational) power, or 2^34 and declares this the number of hours. It prints the number of hours out to the screen after a fashion (including a lot of rounding).

So what is wrong with this algorithm. Really it comes down to two things. 'entropy' appears to be intended to be the average number of tries it would take an attacker to find your password using a brute force attack that goes through passwords in a random order. Unfortunately it is actually that number only in the event if the attack already knows if each character is a lower case, upper case, numerical, or special character. As this is not the case in (practically) any real life situation, the algorithm is useless and creates a few interesting artifacts, a 8 character all lower case password takes 6 hours to break while a 8 character password with 2 lower case, 2 upper case, 2 digits, and 2 special characters takes only 1 hour.

The second issue is the treatment of words on the 'topwords' list. The list is about 140 words long, so even if the attacker knew the number and location of these words, like the algorithm presumes he does with the other characters, the logical improvement is 140^Number of words, not, what comes out as, 26^Number of words. I'm also very doubtful of the quality of this list, I'm not reproducing it here for a variety of reasons (swear words, length, dynamic nature) but lets just say I don't believe that eeeee1 is actually one of the top 140 words.

Coming up with an accurate measurement is undoubtedly hard because it requires on guessing the techniques that most hackers use for generating lists, but these are clearly not them.

A. A short word (4-5 letters) and capitalize two of the letters.B. Two different symbolsC. A four or five digit number.D A few letters from the website URL.E. Mix them them together.

A. For example, a short word could be anything. So let's use "pass". Capitalize two letters. The P and the first S in my example. So we have PaSs.B. Two different symbols: "(" and ")" for this example.C. A four or five digit number:A zip code you remember (90210, for example)D. A few letters from the website before the domain: Last four letters of this one (since this is the website I'm at). "nica"E. Mix and match. Let's go with D-B1-A-B2-C The result is nica(PaSs)90210

At google.com it would be ogle(PaSs)90210

This is a 15 character password that you make up which is easy for you to remember that's unique to every site you visit. You'll never, EVER have to write this down and it will withstand any attack for the next several centuries. If it IS cracked, only one website will be compromised (since most people use the same password for every site). It takes a few of them getting cracked before the algorithm becomes apparent, and your username is still needed to get inside.

It's not that hard, if you can remember what YOU made up in the first place and can read the URL of the site you're on. My clients all use this kind of method quite successfully.

Not to sound crass, but I think you may want to suggest something else. I think it's safe to say that many people aren't smart enough to mix up passwords between different sites. In that scenario, their key-word is going to be the same. And more than likely, the zip-code is going to be the same. So all that's changed is the first n letters that specify the site that you're on.

This just screams reproducible pattern.

/shrug.

To be fair, I am by no means any better, so I acknowledge I'm throwing stones at glass houses.But this doesn't scream security to me. Sorry mate.

I always thought of these sort of sites as an excellent way for harvesting passwords to make lists for brute force attacks.

Previously I've seen sites linked, from Ars even, where you can supposedly check your password to see if it has been cracked from a stolen list. Whilst I doubt Ars would be as negligent as to forward visitors to a password harvesting site, I generally treat them all like this - as password harvesting sites.

Why is not having HTTPS such a problem in this case? I don't see Ars using HTTPS. If the site is just taking some input and telling you about a password, why is HTTPS a requirement?

because, if you're an idiot, you use the same password on multiple sites, and then log on through compromised hotel wifi (even though it's encrypted wifi, someone simply booked a room, compromised it, and installed a rootkit).

So, I tried just a random idea. I took an old CD Key from a crappy RTS I hated as a template and tweaked a few characters, threw some salt on it, and Intel's site 'helpfully' estimated it would take ~863 years to crack.

The reason for the difference in numbers is, as the article hints at, because none of the sites are doing actual dictionary look ups.

In the very least, checking if parts of the password are in a dictionary would give better estimates, but you can only go so far doing estimates before you end up creating an actual password cracker!

e.g. checking for dictionary words isn't easy if words are strung together, ThisIsATest requires testing every possible combination of adjacent letters against a dictionary, some clever optimizations can be done, but even so, doing a proper estimation is hard.

Why is not having HTTPS such a problem in this case? I don't see Ars using HTTPS. If the site is just taking some input and telling you about a password, why is HTTPS a requirement?

because, if you're an idiot, you use the same password on multiple sites, and then log on through compromised hotel wifi (even though it's encrypted wifi, someone simply booked a room, compromised it, and installed a rootkit).

i have been that idiot. :X

I would never put any of my real passwords into a site like this in the first place. I would choose something similar to see what it would report and extrapolate based on that. Assuming you don't hand over any of your "real" credentials, I don't see the point. The rest of the reasoning seemed to based around basic reason why you should use HTTPS, and wasn't really specific to this site, after pointing out it was one of its biggest flaws.

The pwdmeter.js has a copyright date of 2007 on it, this is not exactly new stuff.

Granted Intel's might be smarter and do checking for different types of dictionary attacks, in which case maybe I could see them needing to offload onto a server, since JS might be too slow for the type of workloads, and such things are amazingly parallelizable and Intel has, if nothing else, lots of cores to throw at problems!

As far as I can tell, there's no evidence the Intel site sends passwords to a server. But that's immaterial. HTTP websites can be spoofed and made to do whatever the attacker wants, including slurping passwords.

Why is not having HTTPS such a problem in this case? I don't see Ars using HTTPS. If the site is just taking some input and telling you about a password, why is HTTPS a requirement?

because, if you're an idiot, you use the same password on multiple sites, and then log on through compromised hotel wifi (even though it's encrypted wifi, someone simply booked a room, compromised it, and installed a rootkit).

i have been that idiot. :X

I would never put any of my real passwords into a site like this in the first place. I would choose something similar to see what it would report and extrapolate based on that. Assuming you don't hand over any of your "real" credentials, I don't see the point. The rest of the reasoning seemed to based around basic reason why you should use HTTPS, and wasn't really specific to this site, after pointing out it was one of its biggest flaws.

No big deal either way, it just seemed odd to me.

The point is that real security comes from a layered approach. I put my faith into the fact that the WiFi was encrypted, and that was "enough" to log into non-crucial stuff. I didn't have anything important compromised because it all used HTTPS, and I didn't use the same passwords for those. If I were even a tad lazier, though, I would have put my employer at huge risk (as well as my paycheck).

skin of my teeth, and all that. all i lost was a throwaway gmail account and some forum logins.

There's certainly something sketchy about the site. It also mentions a sweepstakes, but then has no link (that I can find) to the terms and conditions of the sweepstakes or any other information about it.

Intel reckons XKCD's example password (with spaces) would take 182598077247 years to crack. XKCD reckoned 550 years at 1000 guesses/sec (which seems low, but there you go).

If XKCD's estimate of 44 bits of entropy is accurate, then Intel's estimate amounts to about 96 guesses per year. I'm fairly sure that even a CPU-based cracker could outdo that rate by a fair margin.

Edit: if 2^44 is without spaces, that's 121k guesses a year. Still not believing that for a second.

Intel appears to be working on a naive letter-by-letter approach, while xkcd used a word-by-word approach (effectively a 4 character password, where each character comes from the very large set of common english words). Not that it does much to support Intel's figure (in fact, demonstrating that you don't actually get ~8 bits of entropy per character under most circumstances is a blow to their method), but it would explain the discrepancy.

would tell users they should never enter a password on a plain HTTP connection

Guess I can't login into Ars anymore....

It looks like they are just using javascript to judge the password so it shouldn't even get transmitted. There is something odd about the site though maybe a work in progress? They mention a sweepstakes but there is no other information on it even if you get a crazy number of years to crack.

I would never put any of my real passwords into a site like this in the first place. I would choose something similar to see what it would report and extrapolate based on that. Assuming you don't hand over any of your "real" credentials, I don't see the point.

I wouldn't hand over any real credentials either. Nor do I click on any links that are e-mailed to me without checking where it truly goes, or ever click anything that says "click here to upgrade your Adobe Flash". It's common sense.

Yes, for you, me, and likely every person reading this article; that is common sense. For the *average* surfer, the target demographic for this little app? Not so much.

I work with a lot of 'otherwise intelligent but computer illiterate' people who wouldn't hesitate to put their real password into that website because "It's from Macaffee/Intel/someone-I-should-trust".

would tell users they should never enter a password on a plain HTTP connection

Guess I can't login into Ars anymore....

It looks like they are just using javascript to judge the password so it shouldn't even get transmitted. There is something odd about the site though maybe a work in progress? They mention a sweepstakes but there is no other information on it even if you get a crazy number of years to crack.

They're using Javascript to evaluate the password, but since they're not using HTTPS to serve the page and its Javascript, either resource could be modified in transit (the page or the Javascript) to send entered passwords to an attacker.

The "sweepstakes" (assuming it actually happens) is one of those "share on Facebook or Twitter and you could be randomly selected" sort of things.